Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

New Way to Nab Hackers

Two security vendors will announce intrusion detection system products that eschew the traditional
signature-based approach to intrusion detection in favor of behavior monitoring and anomaly detection.

Okenas StormWatch 3.0 focuses on the behavior of applications and systems instead of relying on signatures from a database that needs constant updates. StormWatch intercepts function calls at the operating system level and is able to make real-time decisions about whether to allow or reject the applications behavior.

Each application is assigned to a specific class based on how it behaves, and systems administrators can apply policies to each class.

Further reading

If an application attempts to perform a function that is out of line with its normal behavior, StormWatch stops the action and generates an alert. It can also prevent so-called untrusted applications from starting and using "trusted" applications, a common attack method.

The updated version of StormWatch, available now, includes protection for Windows and Solaris systems against heap buffer overflows, which are among the most common and easily exploitable vulnerabilities in software. Last years Code Red and Nimda worms, for example, both exploited buffer overruns in Microsoft Corp.s Internet Information Services Web server.

However, while many experts and vendors are touting such systems as the future of network security, others say there will always be a place for traditional IDSes.

"Theres always going to be signature-based technology because its valuable when theres a prescribed model on how things are supposed to go," said Becky Bace, a technologist at Trident Capital Inc., in Palo Alto, Calif., and an IDS expert, formerly with the National Security Agency.

"The key is, the faster you can converge on whats happening, the faster you can resolve it. IDS is like pharmaceuticals: There are some that go after very specific causes and others that have a broad sweep," Bace said.

Okena, in Waltham, Mass., is not the first vendor to take this approach. Companies such as Harris Corp. and Lancope Inc. also rely on a behavior-based approach. However, some IDS experts say anomaly detection alone is no better than using only signatures.

"The thing to realize about anomaly detection is that it assumes anything unusual is wrong. So that means that the majority of behavior must be usual and predictable," said Gene Spafford, a professor of computer science at Purdue University, in West Lafayette, Ind., and the designer of Tripwire, the first free IDS and one of the most widely deployed systems on the Internet.

"Anomaly systems tend to generate more false alarms in general," Spafford said. "Signatures alone work only on things that the signatures match. New attacks or variations on attacks cant be found. Adding signatures to anomaly systems helps cut down on the processing overhead for known attacks."

To that end, IntruVerts new appliances combine the signature-based approach of traditional IDSes with anomaly detection and the ability to detect and choke off denial-of-service attacks. The new I-4000 and I-2600 boxes can monitor how hosts interact with other hosts on the protected network and can identify illegitimate behavior.

The appliances, which are due this summer, also have a "micro-tuning" feature that enables administrators to set multiple policies on a single sensor and apply them to individual applications if they so choose.

"What were trying to do is integrate the entire spectrum of detection technologies," said Ramesh Gupta, vice president of engineering at IntruVert, in San Jose, Calif.

The advantage of the systems that combine signatures and anomaly detection lies in their broader and deeper view of network activity, Trident Capitals Bace said.

"If youre in a position to pull cues from a greater portion of the environment, its easier to find and fix any problems that might come up," she said. "The preponderance of signatures are simplistic, and the best theyre able to do is raise a flag."

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.